Secure Engineering & Product Vulnerability Management

IBM Security Bulletins

Overview

IBM uses various methods to communicate security vulnerability information to customers. A Security Bulletin is used when publicly disclosing security vulnerabilities discovered in IBM offerings. Alternative tools and processes are used, where appropriate (i.e. for z Systems, managed and cloud-based services, etc.), when targeted or discrete communication with entitled customers is required. To protect our customers, IBM does not publically disclose or confirm security vulnerabilities until IBM has conducted an analysis of the product and issued fixes and/or mitigations.

Security Bulletins notify customers about one or more vulnerabilities. Customers are responsible for assessing the impact of any actual or potential security vulnerability in the context of their environment.

z Systems customers should subscribe to the Systems Security Portal to receive information about security and system integrity APARs, their associated fixes, and critical IBM Systems security and integrity service updates.

IBM Security Bulletin Structure and Content

IBM Security Bulletins follow a standard format and include elements that identify the type of vulnerability and its potential impact. Given their sensitive nature, Security Bulletins do not include detailed vulnerability exploitation information. The structure of an IBM Security Bulletin is defined below.

Title

To aid in identification, the title of the security bulletin includes the phrase “Security Bulletin:” followed by a brief statement that includes information such as the nature, or type, of vulnerability and the affected IBM Offering Name. It may also include one or more associated CVE IDs.

Summary

The security bulletin summary provides general information about the nature of the vulnerability.

Vulnerability Details

The vulnerability details section provides a list of Common Vulnerabilities and Exposures (CVE) identifiers and descriptions. CVE IDs are standardized identifiers for common computer vulnerabilities and exposures. Additional CVE information is available via the CVE FAQs.

The vulnerability details section also includes the Common Vulnerability Scoring System (CVSS) details associated with each CVE. IBM intends to use the Common Vulnerability Scoring System (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS 'score' is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. Additional information CVSS v3.0 User Guide.

Description: A high level description of the vulnerability. IBM does not intend to provide vulnerability details that could enable someone to craft an exploit of the vulnerability.

CVSS Base Score: The CVSS score assigned to the CVE by IBM. The score range is 0 – 10.

CVSS Temporal Score: The temporal score can change over the lifetime of the vulnerability as exploits are developed and disclosed and as mitigations and fixes are made available. The IBM X-Force Exchange Vulnerability Report link includes the current temporal score information.

CVSS Environmental Score: The environmental score uses the base and current temporal score to assess the severity of a vulnerability in the context of the way that the vulnerable product or software is deployed. The CVSS Environment Score is customer environment specific. Customers can evaluate the impact of the vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

CVSS Vector: The CVSS Vector is a representation of the metric values used to score the vulnerability. The CVSS 2 Calculator and the CVSS 3 Calculator provide details regarding the meaning of the vector string metrics.

Affected products and versions

The affected products and versions section identifies the names of affected IBM Offerings and the versions of those offerings which are affected by the vulnerabilities identified in the security bulletin.

Remediation/fixes

The remediation/fixes section identifies associated fixes, by affected version, as well as how and where to obtain those fixes.

Workarounds and Mitigations

The workarounds and mitigations section identifies usage or configuration changes that may be available in place of fix installation.

References

The references section identifies additional resources that may be useful when evaluating the security bulletin.

Related Information

The related information section identifies additional, related information resources that may be useful when evaluating the security bulletin.

Change History

The change history section summarizes publication and update information associated with the security bulletin. In the event that you receive multiple notifications for a bulletin, re-review the bulletin to determine if the new updates are applicable to your environment.